oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] Re: [vendor-sec] OpenSSH security a

[oss-security] Re: [vendor-sec] OpenSSH security advisory: legacy certificate signing in 5.6/5.7

From: Josh Bressers <bressers_at_nospam>
Date: Fri Feb 04 2011 - 17:44:16 GMT
To: Damien Miller <djm@cvs.openbsd.org>

Please use CVE-2011-0539 for this.

Thanks.

-- JB ----- Original Message ----- > OpenSSH Security Advisory: legacy-certs.adv > > This document may be found at: > http://www.openssh.com/txt/legacy-cert.adv > > 1. Vulnerability > > Legacy certificates generated by OpenSSH might contain data > from the stack thus leaking confidential information. > > 2. Affected configurations > > OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy > certificates. These must be specifically requested using the > "-t" option on the ssh-keygen CA command-line. > > 3. Mitigation > > Avoid generating legacy certificates using OpenSSH 5.6 or 5.7 > > If legacy certificates have been issued with a vulnerable > OpenSSH version, consider rotating any CA key used. > > 4. Details > > When generating legacy *-cert-v00@openssh.com certificates, > the nonce field was not being correctly filled with random > data but was left uninitialised, containing the contents of > the stack. > > The contents of the stack at this point in ssh-keygen's > execution do not appear to leak the CA private key or other > sensitive data, but this possibility cannot be excluded on > all platforms and library versions. > > If certificates are generated using user-specified contents > (as opposed to the CA specifying all fields) then they will > be less resistant to hash collision attacks. Fortunately, > such attacks are not currently considered practical for the > SHA family of hashes used to sign these certificates. > > 5. Credit > > This issue was privately reported by Mateusz Kocielski on > January 26, 2011. > > 6. Fix > > OpenSSH 5.8 contains a fix for this vulnerability. Users who > prefer to continue to use OpenSSH 5.6 or 5.7 may apply this > patch: > > Index: key.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/key.c,v > retrieving revision 1.95 > diff -u -r1.95 key.c > --- key.c 10 Nov 2010 01:33:07 -0000 1.95 > +++ key.c 3 Feb 2011 06:52:33 -0000 > @@ -1823,8 +1823,8 @@ > buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); > > /* -v01 certs put nonce first */ > + arc4random_buf(&nonce, sizeof(nonce)); > if (!key_cert_is_legacy(k)) { > - arc4random_buf(&nonce, sizeof(nonce)); > buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); > } > > _______________________________________________ > Vendor Security mailing list > Vendor Security@lst.de > https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec